Can A Cybercrime Convention For All Be Achieved?

A new UN cybercrime treaty process is raising strong awareness about one of the biggest global challenges and the complexities of addressing it. 

At the end of February, negotiations for a UN treaty to counter cybercrime began. This is significant for many reasons.

Firstly, while there are several instruments that address cybercrime, this is not only the first time states are negotiating a binding UN instrument on cybercrime, but also the first time states are negotiating a binding instrument on any cyber issue.

Secondly, the convention has the potential of reducing impunity of cybercriminals by harmonizing national approaches to criminalization. Relatedly, the convention could play a crucial role in improving international cooperation by providing effective investigatory frameworks and facilitating cross-border data exchange.

Moreover, the convention  could help build the capacity of countries with less experience in tackling cybercrime and provide the basis for technical assistance.

Challenges Lie Ahead

Despite such potential, the process of negotiation will not be straightforward. This became glaringly evident during the first of six rounds of negotiations, held between the 28th of February and the 11th of March, when several areas of divergence but also convergence emerged.

Cybercrime causes significant harm to developing countries’ societies and economies, which has only been exacerbated by the pandemic.

Over the course of the first ten days of negotiations, many delegations from developing countries expressed their urgent need for a practical legal tool that could help them tackle cybercrime. This issue causes significant harm to their societies and economies, which has only been exacerbated by the COVID-19 pandemic.

Many developing countries – including those represented by CARICOM – are optimistic about the role this convention could play in fighting cybercrime, bridging the digital divide, and harnessing the potential of ICTs. 

But to get there, there are key points that states need to agree on. One of which is what is cybercrime and what should be included in the scope of the treaty?

Narrow Scope of Cybercrimes

Countries have varied objectives of what they want this treaty to achieve. Western countries, for example, want to see a convention which includes a narrow scope of crimes. ‘Pure cybercrimes’ are known as cyber-dependent crimes, which refers to crimes that cannot happen without the use of ICTs.

These are often ones where a computer or data is the target of the criminal activity, such as malware, denial of service attacks, ransomware, etc. and include crimes that do not predate the existence of ICTs. Cyber-dependent offences have definitions broadly recognized by all countries.

They also advocate for including certain cyber-enabled crimes. These are traditional crimes where ICTs were used as an instrument, rather than as a target of the offence. The concept of cyber-enabled crimes applies to a very broad range of offences given how ICTs have infiltrated almost every aspect of our lives. So the offences that they have argued to be included are the ones where the use of ICTs significantly increase the scope, speed, scale of the crime but also the anonymity of the perpetrator.

For these offences, two main examples are often given: online child sexual exploitation, and computer fraud. They call for strong human rights safeguards to be embedded throughout the treaty.

Expanded Scope Of Cybercrimes

Other countries, such as India for example, have stated that a limited convention may create more problems than solutions as technology evolves. They call for an expanded scope in the convention which, in addition to the pure cybercrimes, would include a longer list of cyber-enabled crimes.

The lists of offences vary between countries but include offences such as the use of ICTs for terrorist reasons, the distribution of narcotic drugs, and arms trafficking, in addition to content-related offences such disinformation, coercion to suicide, hate speech, extremism and others.

This expanded scope entails risks. First, several of those suggested traditional crimes are addressed in other instruments. Including them in this convention risks not only duplication of efforts but contradiction with other treaties, as well as with national approaches to these issues.

Second, some of the suggested content offences, such as extremist content, are treated differently in national jurisdictions. While some content is considered a criminal offence in one jurisdiction, it might be subject to civil liability in other jurisdictions or entail no liability at all.

The UN Human Rights Office highlighted how cybercrime laws have been used to impose overly broad restrictions on free expression.

In its submission to the process, the UN Human Rights Office stated that a future convention should focus on core cybercrimes and should avoid including content offences. It highlighted how cybercrime laws have been used to impose overly broad restrictions on free expression by criminalizing various online content related to extremism, terrorism, public morals or hate speech. The OHCHR stressed the importance of a future international instrument on cybercrime not to be interpreted as justification for such steps.

The Risk Of No Consensus

But it is very important to note that this debate on trying to define what should and should not be considered cybercrime is at least a decade old. This debate has happened in several contexts including at the UN, where an agreement on a single definition of cybercrime was not possible.

There is nothing to suggest that this might change in the context of this process. Ultimately, this means there is a risk of not achieving consensus, and not having a convention at the end of this rather short process. If this was to happen, the countries who will probably be most affected are the developing countries.

Most developed countries have systems, resources, expertise and capabilities in place which enable them to tackle cybercrime. Western countries, for example, have a long history of working on cybercrime issues nationally but also regionally and internationally. They are state parties to the Budapest Convention and have good cooperation mechanisms within regional bodies such as Europol.

However, the same cannot be said about developing countries. As some delegations have highlighted during the negotiations, often international cooperation on cybercrime does not fail due to lack of will but rather lack of capacity. And whilst some of these countries have also ratified the Budapest Convention, their resources and capabilities tend to be unsurprisingly significantly less than those of developed countries.

Whilst some developing countries have also ratified the Budapest Convention, their resources and capabilities to tackle cybercrime tend to be unsurprisingly significantly less than those of developed countries.

Whether or not a UN convention on cybercrime is needed is also an old debate. However, the process currently underway presents an opportunity for many delegations from the developing countries to have a tool that would facilitate international cooperation on cybercrime and help them tackle the challenge. But can this be achieved in this process?

A Legal Basis For Gathering Data

Despite the differences between countries on how to define cybercrime for the purpose of the treaty and what to include in the scope, most countries acknowledge that the convention should include criminal activities committed that are broadly recognized by the international community.

Some delegations have suggested that the convention could act as a legal basis for the gathering of electronic evidence without linking cooperation to the investigation of certain offences that the convention sets out.

As put in the Chinese submission to the UN process, ‘regarding other crimes committed by using ICTs, member states could prevent and combat relevant crimes, which are not listed in this convention, and carry out international cooperation in accordance with this convention, other international conventions and their respective domestic laws.’

This approach has been successfully used in the context of the United Nations Convention against Transnational Organized Crime (UNTOC) where the convention criminalized a specific set of core types of organized crime activity but included broad international cooperation provisions that can be applied to other types of serious crime committed.

There is palpable eagerness amongst many countries about having an instrument that can help them address the problem of cybercrime that is impeding them from harnessing the potential of ICTs.

Several states have argued for a similar approach to be followed in this process which would mean that defining the different types of criminal behaviour becomes less important as states will have a legal basis for gathering and exchanging data, irrespective of the criminal offences covered in the convention.

There is palpable eagerness amongst many countries about having an instrument that can help them address the problem of cybercrime that they have been grappling with for several years, a problem that is impeding them from harnessing the potential of ICTs in their own countries.

Countries realize that this convention can give them the tools they need to leapfrog into a place where they have a better grip of the situation. How likely it is that this will happen is difficult to say, but what is clear is that this process is raising strong awareness about one of the biggest global challenges and the complexities of addressing it.

Joyce Hakmeh is Senior Research Fellow, International Security Programme  at Chatham House and  Co-Editor of the Journal of Cyber Policy.

You Might Also Read: 

Tackling Cybercrime: Time For The Regional Gulf Cooperation Council To Join Global Efforts:

 

« US Banks Hit By Russian Cyber Attacks
No future For IoT Security Without Secure Access Service Edge (SASE) »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Qolcom

Qolcom

Qolcom is a leading UK based integrator of secure wireless network and mobile device management solutions.

InfoWatch

InfoWatch

InfoWatch solutions allow you to protect data and information assets that are critically important to your business.

SCIPP International

SCIPP International

SCIPP’s courses are based on internationally recognized best business practices for security awareness, for both technical and non-technical staff and to comply with regulatory mandates.

Quorum Cyber

Quorum Cyber

Quorum Cyber offer end-to-end cyber security solutions, specialising in Managed Security Services, Consulting and Resourcing.

TorGuard

TorGuard

TorGuard is a Virtual Private Network services provider offering secure encrypted access to the internet.

KOS-CERT

KOS-CERT

KOS-CERT is the national Computer Incident Response Team for Kosovo.

InFyra

InFyra

InFyra is an IoT & Telecoms specialist consultancy, with extensive global and local experience in business and technology strategy, networks and solutions development.

Onward Security

Onward Security

Onward Security provides security solutions including network & application assessment, product security testing and security consulting services.

CyberForum

CyberForum

CyberForum supports businesses from the IT and high-tech industry in all stages of their development: from startup consulting to professional staffing and even location marketing campaigns.

SuperCom

SuperCom

SuperCom are a global secure solutions integrator and technology provider for governments and other consumers facing organizations around the world.

KT Secure

KT Secure

KTSecure’s mission is to provide proven and productive cyber security solutions and managed services, backed by our highly qualified and passionate team of experts.

Advantex Network Solutions

Advantex Network Solutions

Advantex Network Solutions are a leading provider in Mitel, IT Solutions, Networking, and iP surveillance.

Cyber Legion

Cyber Legion

Cyber Legion Ltd is a UK-based Cyber Security as a Service (CSaaS) start-up that provides IT security testing services to various organizations around the globe.

PeoplActive

PeoplActive

PeoplActive is an IT consulting and recruitment services organization with leading capabilities in digital, cloud and security.

Netia

Netia

Netia is a Polish telecommunications company providing a range of business services including network solutions, communications, data centre and cloud, and cybersecurity.

Cyber Grant

Cyber Grant

Cyber Grant excel in designing cybersecurity solutions for data protection. Our approach and vision, centered on ease-of-use, establish us as a benchmark in the industry for safeguarding information.